GAO Cybersecurity Report and Recommendations for HHS

The Government Accountability Office (GAO) wants HHS to improve cybersecurity efforts by strengthening collaboration within the department and with the broader healthcare sector.
Health care organizations' IT systems are critical to the nation's well-being. Cyberattacks on them could, for example, put patient privacy at risk or disrupt essential telehealth services. (The nation's cybersecurity is on our High Risk List.)
The Department of Health and Human Services coordinates with health care organizations and others to support cybersecurity efforts. Its policies and procedures clearly describe roles and responsibilities, which is good for collaboration.
GAO is making seven recommendations to HHS to improve its collaboration and coordination within the department and the sector:
1. The HHS secretary should have the CIO overseeing the coordination and sharing of cybersecurity information between the Health Sector Cybersecurity Coordination Center and Healthcare Threat Operations Center.
2. The HHS secretary should order the CIO to monitor, evaluate and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group.
3. HHS should direct the assistant secretary for preparedness and response to monitor, evaluate and report on the progress and performance of the Government Coordinating Council's Cybersecurity Working Group and HHS Cybersecurity Working Group.
4. HHS should have the CIO regularly monitor and update written agreements that describe how the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group will collaborate and ensure that officials review and approve the updated agreements.
5. HHS should direct the assistant secretary for preparedness and response to ensure that authorizing officials review and approve the charter describing how the HHS Cybersecurity Working Group will manage collaboration.
6. HHS should have the assistant secretary for preparedness and response do the following: finalize written agreements that include a description of how the Government Coordinating Council's Cybersecurity Working Group will work together; identify the working group's roles and responsibilities; monitor and update the written agreements on a regular basis; and ensure that authorizing officials leading the working group approve the final agreements.
7. HHS should tell the assistant secretary for preparedness and response to update the charter for the Joint Healthcare and Public Health Cybersecurity Working Group for the current fiscal year and ensure that authorizing officials overseeing the group review and approve the updated charter.

IAEA and FAO Help Burkina Faso and Algeria to Enhance Food Safety & Security

The IAEA and the Food and Agriculture Organization of the United Nations (FAO) cooperate in supporting food safety and food quality programmes around the world to address food hazards, food fraud and advise countries on food irradiation. Among the beneficiaries of this programme have been Burkina Faso and Algeria. To celebrate World Food Safety Day, we are drawing attention to the importance of nuclear techniques in monitoring food safety. “Safe food today for a healthy tomorrow” – this year’s theme – recognizes how safe food contributes to a healthy life, economy, planet and future.
Enhanced food safety capabilities in Burkina Faso
Tiny but oil- and vitamin-rich sesame seeds have become a staple of Burkina Faso’s economy – creating jobs and generating income. After cotton, the edible seeds that grow in pods have become the West African country’s second most exported agricultural product. This sprouting success in the last decade has been sustained with the help of Burkina Faso’s National Public Health Laboratory (LNSP), supported by the IAEA and FAO, through their Joint Cenre on Nuclear Techniques in Food and Agriculture.
Enhancing food safety analytical capabilities in Algeria
Laboratories in Algeria have received the support to enhance their analytical capabilities for the detection of chemical hazards, including antimicrobial and pesticide residues in a range of food, from poultry and eggs to dates and honey. Algeria was the world’s sixth leading exporter of dates, worth approximately US $129 million in 2020.
Through the IAEA’s technical cooperation programme and in partnership with FAO, staff of the Algerian National Institute for Agronomic Research (INRAA) and the National Institute of Veterinary Medicine (INMV) have been trained in methods of analysis and supported with the required analytical equipment. These institutions are now equipped to contribute towards consumer protection and the trade of agricultural products.

Recommendations for measures to prevent hospital fires

The European Commission’s Joint Research Centre (JRC) issued a series of recommendations to help prevent the hospital fires associated with medical oxygen needed for Covid-19 severely ill patients, from electrical maintenance to administrative measures and largely spread training and guidance on prevention and risk management strategies for oxygen hazards.

Since the outbreak of the pandemic in March 2020, at least 36 incidents of hospital fires associated with intense oxygen use have been found to have occurred in various countries around the world, causing the deaths of over 200 people and injuring many more.

The majority of the dead and injured were patients extremely ill with the novel Coronavirus and others were their health care providers. Most deaths resulted directly from the fire but there were also several deaths from patients deprived of oxygen because of the event.

In comparison, up until 2020, the media shows an average of just over one such event per year since 2011.

According to the JRC recommendations, the strategies to prevent and mitigate the fire risk in intensive care units should evolve around three main elements:

• Guidance on oxygen therapy for Covid-19 and other diseases needs to identify specific prevention measures that can reduce the risk of oxygen-enriched environments in these settings;

• All hospitals should establish a risk management strategy for oxygen hazards led by hospital management, involving all staff, including healthcare workers, maintenance, housekeeping and administration;

• As part of this policy, all hospitals should track the number of patients having medical gas treatment and, when elevated, an appropriate fire risk management policy should be applied.

The hospitals should use as examples strategies developed for chemical process safety to manage flammable and explosive atmospheres. The management procedures should involve medical and non-medical staff, and prevention and emergency preparedness should take into account potential intensive care unit fires.

Guidelines for Cybersecurity in Hospitals: New Online tool

The new tool helps healthcare organisations identify best practices in order to meet cybersecurity needs when procuring products or services.
To facilitate the use of the Procurement Guidelines for Cybersecurity in Hospitals published in 2020, ENISA releases an online tool today to support the healthcare sector in identifying procurement good practices to meet cybersecurity objectives when procuring products or services.
In addition, the Agency also publishes a concise version of the procurement guidelines dedicated to the sector in each of the 24 EU official languages.
Cybersecurity in Healthcare: why does it matter?
The COVID-19 pandemic demonstrated the value of eHealth services such as telemedicine and remote patient care.
Since it has become increasingly digital and interconnected, the healthcare sector needs to consider cybersecurity as an enabler and as a key factor for ensuring the resilience and availability of key healthcare services.
Cybersecurity needs to be envisaged throughout the procurement lifecycle. IT departments should be involved in procurement activities as the cybersecurity implications in the procurement of any product or service should be well understood and consistently addressed by healthcare organisations.
EU Agency for Cybersecurity Executive Director, Juhan Lepassaar, declared: “Securing eHealth today means ensuring the resilience of the EU’s life support system, the healthcare sector. ENISA is committed to shape the ICT environment needed to prevent cybersecurity incidents and attacks on our healthcare sector.”
Procurement Guidelines and online tool: What for?
The online tool was developed as a complement to the procurement guidelines for cybersecurity in hospitals. Its purpose is:
- To help healthcare organisations to quickly identify the guidelines that are most relevant to their procurement context such as assets procured or related threats;
- To promote the importance of a good procurement process to ensure appropriate security measures.
To facilitate the dissemination of good practices across all healthcare organisations across the EU, a concise version of the procurement guidelines is now made available in the 22 official EU languages and the full version is available in english and spanish languages.
The report on procurement guidelines has already generated a significant interest in the healthcare cybersecurity community.
Stakeholders in the sector, including members of the eHealth Security Experts Group suggested the idea of an interactive format of the guidelines making it possible to customise searches and help decision making through informed procurement.
The guidelines were translated in order to allow health organisations across Member States to directly access the content in their own language.
Who is it meant for?
- Procurement officers of healthcare organisations;
- Healthcare professionals with technical positions or in charge of IT systems and equipment;
- Chief level executives such as CIO, CISO, CTO;
- The EU citizens involved in or seeking to develop knowledge and awareness on such processes.

Universal Health Services lost $67m to ransomware attack

UHS was among the first hit with the coordinated ransomware wave that targeted the healthcare sector last year. On September 29 last year, Universal Health Services announced in a press release that due to an IT security incident that took place two days earlier, it had to suspend user access to its IT applications related to operations located in the United States.
In the early hours of September 27, UHS clinicians and staff members took to Reddit to determine if other UHS employees across the country were experiencing similar computer and phone outages.
The thread detailed internet and data center outages, with one employee attributing the incident to a ransomware attack after seeing ransom messages from the Ryuk hacking group displayed on some computer screens.
Upon discovery, the IT team took all systems offline to prevent further propagation. The following day, UHS officials confirmed the event as an IT disruption, before reporting as a malware infection several days later.
The disruption caused by the ransomware attack was immense, considering UHS is among the largest providers of hospital and healthcare services in the US, featuring among Fortune 500 companies in 2019 with annual revenue of $11.4 billion and also ranking #330 in Forbes list of U.S.' Largest Public Companies.
The company employs around 90,000 people across 26 acute care hospitals, 330 behavioral health facilities, 41 outpatient facilities, and a number of ambulatory care access points and a network of physicians. Aside from the US, Universal Health Services also operates in Puerto Rico and the United Kingdom.
UHS said that it immediately implemented extensive IT security protocols and was working with security partners to restore the affected IT services as soon as possible. The incident caused temporary disruption to some clinical and financial operations, forcing acute care and behavioural health facilities to rely on offline documentation efforts to deliver round-the-clock patient care.

How artificial intelligence can help transform Europe’s health sector

A high-standard health system, rich health data and a strong research and innovation ecosystem are Europe’s key assets that can help transform its health sector and make the EU a global leader in health-related artificial intelligence applications.
The use of artificial intelligence (AI) applications in healthcare is increasing rapidly.
Before the COVID-19 pandemic, challenges linked to our ageing populations and shortages of healthcare professionals were already driving up the adoption of AI technologies in healthcare.
The pandemic has all but accelerated this trend. Real-time contact tracing apps are just one example of the many AI applications used to monitor the spread of the virus and to reinforce the public health response to it.
AI and robotics are also key for the development and manufacturing of new vaccines against COVID-19.
A fresh JRC analysis shows that European biotech companies relying on AI have been strong partners in the global race to deliver a COVID-19 vaccine.
Based on this experience, the analysis highlights the EU’s strengths in the “AI in health” domain and identifies the challenges it still has to overcome to become a global leader.
High standard health system safeguards reliability of AI health applications
Europe’s high standard health system provides a strong foundation for the roll out of AI technologies.
Its high quality standards will ensure that AI-enabled health innovations maximise benefits and minimise risks.
The JRC study suggests that, similarly to the General Data Protection Regulation (GDPR), which is now considered a global reference, the EU is in a position to set the benchmark for global standards of AI in health in terms of safety, trustworthiness, transparency and liability.
The European Commission is currently preparing a comprehensive package of measures to address issues posed by the introduction of AI, including a European legal framework for AI to address fundamental rights and safety risks specific to the AI systems, as well as rules on liability related to new technologies.
Strong European research ecosystem supported by EU funding
At the moment, the EU is already well positioned in the application of AI in the healthcare domain - slightly behind China but on par with the US.
But judging from the EU’s research capacities, there is more potential.
The JRC analysis notes the strong investment of European biotech companies in research: in the EU, almost two thirds of all medical AI players are involved in research, against approximately one-third in China.
Consequently, Europe has a strong and diversified research and innovation ecosystem in the area of AI in health.
European companies are particularly strong in health diagnostics, health technology assessment, medical devices and pharmaceuticals.
The EU’s research framework programmes play an important role in the European research and innovation landscape in this domain.
A JRC report published in 2020 indicates that 146 projects linked to AI in health have been launched under the Horizon 2020 framework programme.
The funding of AI in health related projects has been increasing over time, reaching over €100 million in 2020.

Securing Cloud Services for Health: New report by EU Agency for Cybersecurity helps healthcare organisations securely adopt cloud services and prepare for cybersecurity challenges

The European Union Agency for Cybersecurity (ENISA) published the Cloud Security for Healthcare Services report, which provides cybersecurity guidelines for healthcare organisations to help further digitalise with cloud services. Building on ENISA’s procurement guidelines for cybersecurity in hospitals, published early last year, this new report assesses the cybersecurity risks of cloud services and offers good practices for their secure integration into the European healthcare sector. The ENISA report comes as the European Commission is moving forward this year with the European Health Data Space initiative to promote the safe exchange of patients’ data and access to health data.
The COVID-19 pandemic has underlined an increased need for efficient – and secure – digital healthcare services. Cloud solutions allow for the flexible and rapid deployment of the electronic storage of data and electronic communications such as telemedicine. However, the complexity of legal systems and new technologies, as well as concerns over the security of sensitive patient data have slowed the healthcare sector in adopting cloud services.
EU Agency for Cybersecurity Executive Director Juhan Lepassaar said: “A resilient health sector relies on secure digital solutions. The EU Agency for Cybersecurity provides healthcare organisations with guidance to address cybersecurity concerns related to cloud services and is preparing an EU Cloud Cybersecurity Certification scheme, both of which aim to do just that.”
The report addresses these concerns by providing security guidelines for three main areas in which cloud services are used by the healthcare sector, namely for:
Electronic Health Record (EHR), i.e. systems focusing on the collection, storage, management and transmission of health data, such as patient information and medical exam results;
Remote Care, i.e. the subset of telemedicine supporting remote patient-doctor consultation;
Medical Devices, i.e. cloud services supporting the operation of medical devices such as making medical device data available to different stakeholders or for device monitoring.
For each of these use cases, the report highlights the main factors to be considered when healthcare organisations conduct the relevant risk assessment – for example, in terms of risk to sensitive patient data or availability of a medical service. These guidelines, however, are only a first step for healthcare providers to adapt securely to the cloud. More support is needed, such as established industry standards on cloud security, specific direction from national and EU authorities, and further guidelines from Data Protection Authorities on transferring healthcare data to the cloud.
The report also proposes a set of security measures for healthcare organisations to implement when planning their move to cloud services, such as establishing processes for incident management, defining data encryption requirements, and ensuring data portability and interoperability. The measures are proposed taking into consideration the draft candidate EU Cybersecurity Certification Scheme on Cloud Services (EUCS) to ensure compatibility and requirements mapping. The Agency’s draft scheme is part of the larger cybersecurity certification framework aimed at enhancing trust in ICT products, services and processes across Europe. The draft scheme is open for public consultation until 7 February 2021.
The EU Agency for Cybersecurity will continue its work to strengthen the cybersecurity of Europe’s healthcare sector by publishing guidelines, promoting information sharing, collaborating with policy-makers and organising events such as the annual eHealth Conference, addressing the healthcare sector’s major cybersecurity challenges.

INTERPOL warns of organized crime threat to COVID-19 vaccines

INTERPOL has issued a global alert to law enforcement across its 194 member countries warning them to prepare for organized crime networks targeting COVID-19 vaccines, both physically and online.
The INTERPOL Orange Notice outlines potential criminal activity in relation to the falsification, theft and illegal advertising of COVID-19 and flu vaccines, with the pandemic having already triggered unprecedented opportunistic and predatory criminal behaviour.
It also includes examples of crimes where individuals have been advertising, selling and administering fake vaccines.
As a number of COVID-19 vaccines come closer to approval and global distribution, ensuring the safety of the supply chain and identifying illicit websites selling fake products will be essential.
The need for coordination between law enforcement and health regulatory bodies will also play a vital role to ensure the safety of individuals and wellbeing of communities are protected.
Vaccines prime target of organized crime
“Criminal networks will also be targeting unsuspecting members of the public via fake websites and false cures, which could pose a significant risk to their health, even their lives.
“It is essential that law enforcement is as prepared as possible for what will be an onslaught of all types of criminal activity linked to the COVID-19 vaccine, which is why INTERPOL has issued this global warning,” concluded Secretary General Stock.
As well as targeting COVID-19 vaccines, as international travel gradually resumes it is likely that testing for the virus will become of greater importance, resulting in a parallel production and distribution of unauthorized and falsified testing kits.
Online dangers
With an increasing amount of COVID-related frauds, INTERPOL is also advising members of the public to take special care when going online to search for medical equipment or medicines.
In addition to the dangers of ordering potentially life-threatening products, an analysis by the INTERPOL’s Cybercrime Unit revealed that of 3,000 websites associated with online pharmacies suspected of selling illicit medicines and medical devices, around 1,700 contained cyber threats, especially phishing and spamming malware.
To avoid falling victim to online scams, it is important to be vigilant, be skeptical and be safe, as offers which appear too good to be true usually are. Always check with your national health authorities or the World Health Organization for the latest health advice in relation to COVID-19.